Line 9 of rock/playbooks/vars/rocknsm_config.dist.yml does not screen all necessary interfaces

[ghost]

{{ ansible_interfaces | difference(['lo', ansible_default_ipv4.interface | default('lo') ])| list }}

This code will detect things like virbr0 has a viable interface. We need to update it so that it excludes this sort of thing. Suggest it prompts the user for confirmation of management and monitor interface.

[dcode]

Came by to drop some thoughts/hints for someone that wants to explore this.

I don't know the full logic necessary to do this more cleanly yet. Ansible has the facts about all the interfaces. Ideally, monitor interfaces don't have IPs associated with them, so we could maybe filter out anything that received a DHCP address.

To go down that road, you'll want to look at the output of ansible localhost -m setup from a sensor box. You could look for interfaces without an IPv4 address (IPv6 link local is default until disabled). There's a number of ways to do the logic in the vars, I'd suggest json_query filter. It is very powerful (similar to jq).

At the end of the day, the user will need to modify the variable in the config if they need something super complex.

[dcode]

One more thing, a shell script/ansible play that prompts the user for answers and generates/modifies the config.yml file would also be acceptable. The full deployment must be non-interactive, but we could allow for a user to answer questions in a wizard to modify our chosen defaults.

I'm totally open to other opinions here.

[Duckmanjbr]

Causes Bro to error out on load: -> systemctl status broctl.service

Dec 18 04:50:20 simplerockbuild.simplerock.lan broctl[7429]: starting virbr0-nic ... Dec 18 04:50:20 simplerockbuild.simplerock.lan broctl[7429]: virbr0-nic terminated immediately after starting; check output with "diag" Dec 18 04:50:20 simplerockbuild.simplerock.lan systemd[1]: broctl.service: control process exited, code=exited status=1 Dec 18 04:50:21 simplerockbuild.simplerock.lan systemd[1]: Failed to start Bro Network Intrusion Detection System (NIDS). Dec 18 04:50:21 simplerockbuild.simplerock.lan systemd[1]: Unit broctl.service entered failed state.

[Duckmanjbr]

I have made this a little smarter when selecting the interfaces it adds into /etc/rocknsm/config.yml. If we want fully automated or down to one interface more work will need to be done. The current fix should at least eliminate NSM from starting up Bro and Snort on dead interfaces.